Many Android apps send your private information to advertisers

Huge privacy concern uncovered by researchers

Updates to this story

A large number of Android apps is covertly transmitting GPS and phone data to advertisers, according to research from Duke University, Pennsylvania State University, and Intel Labs.

The trio got together to develop software called TaintDroid, which detects when apps send private information to remote servers. They picked 30 popular free applications from the Android Market at random and found that half of them were sending sensitive information to advertisers, including the GPS-tracked location of the user and their telephone number.

The findings raise serious privacy concerns for the Android platform, which has been enjoying rising success as it competes with Apple'siPhone. Unauthorised data mining is the last thing an Android user wants and the extent to which this is occurring is extremely worrying.

Android has a number of safety features in place, including a permissions feature for the transmission of GPS data, for example, but some apps are collecting that data without permission, sometimes as often as every 30 seconds. Because many of these apps are not designed for malicious purposes, however, they fall into a grey category which Google is reluctant to touch.

Google has the ability to remotely kill and delete an application that it considers malicious. This feature raised concerns in its own right as to how much control Google has over your phone and if it should be allowed to delete something without your permission, whether it is in your best interests or not.

The flip side is that it is a very strong security feature which helps alleviate some problems that will no doubt plague the Android Market as it continues to grow. The problem is that while Google has this feature, it may not use it on the more ambiguous apps, since it means culling its app population, which still lags behind Apple's App Store.

An example of Google's reluctance is the debacle over a wallpaper app earlier this year, which covertly sent users' phone numbers to a remote server in China, a discovery made by mobile security firm Lookout. Google investigated the matter, but it found that there was no security threat, as the company behind the app was only using the phone numbers as a unique indentifier of users. The app, which was temporarily suspended during the investigation, was allowed to remain in the Android Market.

Google has published privacy guidelines since then in attempts to get app developers to become more transparent with how data is collected and used, but the fact remains that many applications are collecting information that we did not authorise, regardless of how benign and innocent their intentions might be. With Google already in hot water over its Street View snooping it can hardly afford to appear lax when it comes to Android privacy.

* And, in related news, clothing retailer Next is to launch its own Android tablet with a 1GHz processor, 256MB of RAM, and 8GB of storage, all for £180, making it one of the cheaper entries in the tablet market and clearly one of this year's top fashion accessories.

Related topics

As with every security research results surfacing these days there is a great deal of FUD involved, it's probably the attempts of security researches and sellers to remain relevant on the client side in the age of the smartphone.

It boils down to the fact that this is an open marketplace, if you don't trust the publisher of an application don't use it.

And by the way, also Apple can remotely kill apps, so that anti-Google sentiment is unnecessary.

tommy t - 15 Nov 19:04

This is a really big deal. Google does not do a good job of telling users what informtion is being harvested and why!